It has been well-established that a skills gap exists among organizational security needs and the ability to effectively staff skilled technical teams. In fact, The Life and Times of Cybersecurity Professionals, a joint report by ESG and ISSA, found that nearly half of respondents claimed their organization has a “problematic shortage of cybersecurity skills,” and an additional 70% cited that this shortage has already impacted their organization.

These effects have included increased workload, leveraging junior staff in place of experienced cybersecurity professionals and an increased emphasis on high-priority security events over planning, strategy and training.¹ As a result, many organizations have experienced an increase in turnover and decreased job satisfaction among employees, which further perpetuates this shortage.

Identifying the Gap in the Bridge

As the growing demand to keep up with the increase in cyber-attacks widens the gap between the finite supply of skilled professionals, organizations must self-evaluate to determine if this skills shortage is leaving their digital assets vulnerable to an attack.

According to ISACA’s State of Cybersecurity 2018, 77% of respondents indicated a need for an increase in technical security employees at the individual contributor level.²

This shortage of technical skills at the lower levels also trickles up to management, which further widens the gap and creates even greater challenges for an organization.

So how does an organization begin to address this skills gap? Looking externally is proving to be difficult in what is clearly an applicant’s market.

There has been no lack of demand for cybersecurity professionals, with national demand growing approximately 97% between 2013 and 2015 alone.³ Considering global damages from cyber-attacks have increased over 1400% from that time (325 million in 2015 vs. an expected five billion in 2017), that demand is not expected to slow.²

This seemingly leaves organizations with one logical option: build from within. Both the ESG/ISSA's and ISACA’s finding have encouraged organizations to improve their workforce development through increased training and mentorship initiatives. Yet, data from a recent SANS Institute report on IT Security Spending Trends indicates that “staff training and certification” is far from a top priority with only 39% of respondents including it in their security spending (good for seventh out of the top ten areas).⁴

Making the initial investment in developing a program to improve the knowledge, skills and abilities of your workforce may seem daunting. But, if implemented correctly, the end result of such a program should be a mutually beneficial outcome for both businesses and their employees.

Opportunities to Address Workforce Development

For organizations seeking to strengthen the skills of their current employees and develop new cybersecurity talent, there are a number of opportunities available.

Looking at what employees value in The Life and Times of Cybersecurity Professionals, the sources of furthering their knowledge, skills and abilities may be bucketed into five main groups, outlined in more detail below:¹

• Cybersecurity training courses and degree programs
• Participating in professional organizations
• Attending industry events and trade shows
• On-the job mentoring
• Achieving additional certifications

Training Courses and Degree Programs

When it comes to furthering their skills through education, there are a number of opportunities available, many of which are offered online. Depending on your organization’s needs, your employees can take advantage of educational options ranging from one-day workshops to master’s programs.

If you are looking to develop your employees through specialized courses, organizations such as MindEdge Learning offer a variety of specialized cybersecurity modules to help keep their skills up-to-date. Many of your employees who are ISSA members may already have access to these resources through their membership.

If your organization is seeking to provide your employees with a more immersive experience, or if you are seeking to develop employees from within, a university-based certificate or degree program may be of interest to your employee, especially if your organization has tuition reimbursement benefits in place.

There are a number of well-known universities, including Quinnipiac in Hamden, CT, that offer a technically-focused online master’s program in cybersecurity. Many universities, such as Quinnipiac, also offer free organizational partnership opportunities that can help your employees pursue an advanced degree at a discounted rate.

Having a partnership in place also provides the opportunity to create a sustainable talent pipeline within your organization.

Professional Organizations

As a cybersecurity professional, you are likely well aware that there are a number of well-respected professional organizations available for your employees to join.

Encouraging employees to actively participate and network within these associations helps your employees learn from others working in the field and gain a more diverse perspective that may be applicable to challenges within your own organization. In fact, over half of the individuals surveyed by ESG and ISSA who transitioned into cybersecurity from IT cited networking as the most helpful factor in approaching their move.¹

Industry Events & Trade Shows

Directly related to the associations above, there are many well-established conferences that you attend like the ISSA International Conference and RSA Conference that provide valuable learning sessions and networking opportunities that could benefit your individual contributors.

Coaching & Mentoring

Leveraging your strongest talent from within can be a great way to help bridge the skills gap. Mentorship programs are proven to help increase employee engagement, with 83% of those participating in mentorship programs reporting that it increased their desire to stay with their current organization.⁵

Research also indicates that one in five cybersecurity employees feel that a mentor or career coach can help take them to the next level career-wise.¹ For organizations looking to grow from within, the resources may already be available to improve your team’s technical skills and increase their overall bandwidth.

Certifications

While 61% of ISSA members surveyed felt that certifications are more valuable for getting a job than doing a job, encouraging and funding employees’ abilities to pursue additional certification can be a valuable resource in keeping their skills sharp.¹

Beyond the CISSP, other well-known certifications such as CISM, CompTia Security+, CISA and CEH may emphasize the technical skills your organization is looking to strengthen.

The ROI of Workforce Development

Each of these options provides an immense value to improve your employees’ KSAs. While supporting the pursuit of each of these may appear costly, the benefits of focusing on your workforce development should ultimately provide a strong return on investment.

Nearly 66% of respondents to the ESG/ISSA survey reported that they do not have a clearly defined path to take their career to the next level and would like to see more training and formal guidelines. Providing incentives for employees to further their skills can go a long way in improving job satisfaction and show your organization’s commitment to cybersecurity. There is still a tremendous opportunity to be an early adopter in providing more resources to your employees based on the following findings from that same survey:¹

• 60% of employees are only “somewhat satisfied”, “not very satisfied” or “not at all satisfied” with their current positions.
• 81% feel some combination of coaching, standardized career maps or technical training maps would help get them to the next level career-wise.
• 38% feel that their current organization is providing an appropriate level of training to keep up with business and IT risks.

The demand from employees is evident, but to this point nearly two-thirds of businesses are failing their employees when it comes to development.

In an applicant's market, when employees are not receiving what they need, they will leave. ISACA is estimating a global shortage of two million cybersecurity professionals by 2019, which means there is no shortage of opportunities for your current employees.² In fact, nearly half of the respondents to ISSA’s survey noted that they are contacted about another cybersecurity job at least once per week, and one in five cited career development as the top reason they left their current job.¹

When an employee leaves, that cost is passed on directly to your business. Based on conservative 2017 estimates, replacing an employee costs an organization 33% of their average salary.⁶ In a field like cybersecurity where demand already outweighs supply, you can expect that figure to climb significantly.

Beyond the costs associated with replacing an employee, turnover creates even greater shortages that can leave your organization more prone to fall victim to a cyber-attack. A single cyber-attack is estimated to cost an organization an average of five million dollars⁷ — a number that tends to scale with the size of your business.

When you run the cost-benefit analysis, making the investment up front to develop your workforce, mitigate risk and prevent a breach will ultimately make your business more profitable in the long run.

Taking the Next Step

Based on the data, the message is clear: invest in your workforce development to retain employees and close the skills gap within your own organization. This won’t happen overnight; it may even require extensive planning or an entire culture shift, but the only way to bridge the skills gap and mitigate risk to your organization is through supporting your employees.

Quinnipiac is committed to helping organizations and their employees develop the practical skills needed to be well-prepared for success.

For those currently working in, or looking to transition into a cybersecurity role, the School of Engineering offers an online MS in Cybersecurity that teaches the technical skills needed to identify, prevent and counter sophisticated cyber-attacks. Quinnipiac is also proud to partner with organizations to provide affordable opportunities for your employees to further their skills.

¹ Oltisk, J. (2017, November). The Life and Times of Cybersecurity Professionals. Retrieved April 17, 2018, from https://www.esg-global.com

² ISACA. (2018). State of Cybersecurity 2018: Workforce Development. Retrieved April 17, 2018, from https://cybersecurity.isaca.org/state-of-cybersecurity

³ Kalumbi, V., & Diaz, N. A. (2016). Market Demand for Cybersecurity Professionals. Retrieved April 17, 2018, from https://www.eab.com

⁴ Filkins, B. (2016, February). IT Security Spending Trends. Retrieved April 17, 2018, from https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697

⁵ River Software. (n.d.). Mentoring ROI. Retrieved April 17, 2018, from https://www.riversoftware.com/resources/infosheets/River-ROI.pdf

⁶ Sears, L., Ph.D. (2017). 2017 Retention Report. Retrieved April 17, 2018, from workinstitute.com/retentionreport

⁷ Ponemon Institute. (2017, November). The 2017 State of Endpoint Security Risk. Retrieved April 17, 2018, from https://cdn2.hubspot.net/hubfs/468115/Campaigns/2017-Ponemon-Report/barkly-2017-state-of-endpoint-security-risk-ponemon-institute-final.pdf